Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)

To: debian-security@lists.debian.org
Subject: Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
From: Gian Piero Carrubba <gpiero@rm-rf.it>
Date: Wed, 3 Apr 2024 18:03:41 +0200
Message-id: <[🔎] a2udclslwzzrl2pssx4rba6r35zhjygqb7wlo4zgbtwh3nynn2@d6m3wyf6ease>
In-reply-to: <[🔎] 6wptvhjnpekc52xgkg4475lnl7mkd6sme3xif577xdm3f5ahhs@svkzssm6fyqh>
References: <[🔎] 6wptvhjnpekc52xgkg4475lnl7mkd6sme3xif577xdm3f5ahhs@svkzssm6fyqh>

* [Wed, Apr 03, 2024 at 09:21:41AM +0100] Samuel Henrique:

# Alternative solutions:
If we really want to distinguish the case when we don't produce any affected
packages but the source contains the vulnerability (a build with different
flags might result in an affected package), we can create a new tag to show
this: not-affected-build-artifacts.

This. Just marking the CVE as not-affected does not distinguish betweendeb and deb-src, that are still part of (and shipped by) Debian.


Cheers,
Gian Piero.

Reply to:

References:
- security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
  - From: Samuel Henrique <samueloph@debian.org>

Prev by Date: Fw: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
Next by Date: Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
Previous by thread: Fw: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
Next by thread: Re: security-tracker: A proposal to significantly reduce reported false-positives (no affected-code shipped)
Index(es):
- Date
- Thread